Running an insecure registry --insecure-registry

Expected behavior

On ubuntu, the very first thing to do is add our private registry to allow loading of images from a (vpn-ed) untrusted registry

Actual behavior

On ubuntu, I would be able to edit /etc/default/docker and change the OPTS or while creating a docker-machine add the insecure registry to the OPTS as well

Information

OS X: version 10.11.3 (build: 15D21)
Docker.app: version v1.10.3-beta5
Running diagnostic tests:
[OK] docker-cli
[OK] Moby booted
[OK] driver.amd64-linux
[OK] vmnetd
[OK] lofs
[OK] osxfs
[OK] db
[OK] slirp
[OK] menubar
[OK] environment
[OK] Docker
[OK] VT-x
Docker logs are being collected into /tmp/20160331-211925.tar.gz.
Your unique id in bugsnag is: A60C8759-3C6D-4EFB-8873-5D0DCAEF9C71

1 Like

Also a problem we ran into while hosting an artifactory registry.

docker login xxxxx

Username (nskitch):
Password:
Error response from daemon: invalid registry endpoint xxxxx: unable to ping registry endpoint https://xxxx./v0/
v2 ping attempt failed with error: Get xxxx/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get xxxxx: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry xxxx to the daemon’s arguments. In the case of HTTPS, if you have access to the registry’s CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/xxxx.com/ca.crt

then when trying to include flag:

docker --insecure-registry xxxxx.com login xxxxx.com
flag provided but not defined: --insecure-registry

If I understand correctly, you should be able to configure insecure-registry using pinata set daemon.

$ pinata set daemon @daemon.json
daemon.json -> {"storage-driver":"aufs","debug":true,"insecure-registry":"my.insecure.registry:5000"}
$ pinata get daemon
{"storage-driver":"aufs","debug":true,"insecure-registry":"my.insecure.registry:5000"}

I wasn’t able to figure out running the command without a json file, nor was I able now to find the docs that describe pinata.

1 Like

This is also something I’ve just encountered… An answer on how to configure docker on OSX would be great, thanks!

As far as I know “insecure-registry” is not one of the daemon.json options, so you cannot set it in the config file, and neither can you specify it in the command line.

The recommended way of installing a registry is with a certificate from a CA as per https://docs.docker.com/registry/deploying/

We are aware that it is not currently possible to use http or https with self signed keys for registries but recommend you obtain a certificate in the mean time.

ya you’re correct, https://docs.docker.com/engine/reference/commandline/daemon/#daemon-configuration-file has a list of variables available to the .json config file. Anything else is ignored.

i was able to modify /etc/init.d/docker (by opening a console to the linux machine: screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty) on line 39:

DOCKER_OPTS="${DOCKER_OPTS} -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --insecure-registry some.domain.here"

and it will work after restarting the daemon (/etc/init.d/docker restart)

However whenever Docker 4 Mac restarts (ex: restarting computer), this changed is reverted. I suspect it’s because the image is reloaded. Is there any way to modify the change in a more permanent way? (besides trying to modify the com.docker.driver.amd64-linux container, since any updates from you guys would wipe the change too)

3 Likes

To follow up, Docker for Mac can now use self-signed certs that are added to the macOS keychain: https://docs.docker.com/docker-for-mac/faqs/#/how-do-i-add-custom-ca-certificates